Governance
Governance is how Platform Engineers control what developers can and can't change when deploying. Lock fields to enforce standards, mark fields as required to prevent empty deploys, and publish versions to track changes.
The Blueprint Editor
Open any company blueprint and click the Edit icon (pencil) to open the governance editor. The editor shows all configuration fields organized by section.
Field States
Each field has three controls:
| Icon | State | Meaning |
|---|---|---|
| 🔒 Lock | LOCKED | Value set by PE, developer cannot change it |
| ✱ Required | REQUIRED | Developer must fill this field before deploying |
| 🔓 Unlocked | Editable | Developer can set any value (default) |
Locking a Field
Click the lock icon next to any field to lock it at its current value. Locked fields appear with a red "LOCKED" badge and the text "GOV-002: Locked by platform team" in the deploy form.
Common fields to lock:
enable_s3_endpoint— force S3 VPC endpoints for cost optimizationenable_dynamodb_endpoint— force DynamoDB endpointsnetwork_name— enforce naming conventions (e.g., "vnet-tellez")routing_mode— force REGIONAL for cost controlauto_create_subnetworks— disable GCP auto-subnets
Making a Field Required
Click the asterisk icon to mark a field as required. Required fields show a red asterisk in the deploy form. The deploy button stays disabled until all required fields are filled.
Common required fields:
environment— force explicit environment taggingproject_name— ensure resource naming consistencyteam_name— track ownership
Publishing Versions
After changing governance, click Save Changes. Archie auto-increments the version:
- v1.0.0 → v1.0.1 (governance change)
- v1.0.1 → v1.0.2 (another governance change)
The Versions tab shows the full history. Each version records what changed.
Profiles
Toggle between Non-prod and Production profiles to set different governance rules per environment. Production profiles can enforce stricter controls.
Governance in the Deploy Form
When a developer deploys, they see governance in action:
- Locked fields appear greyed out with "GOV-002: Locked by platform team"
- Required fields show a red asterisk and block deployment if empty
- Editable fields are fully interactive with descriptions and defaults
The developer never touches IaC code — they fill a form with guardrails already in place.
Compliance Checks
At the Review step, Archie runs cloud-specific compliance checks:
AWS checks:
- Starter template compliance (simplified for starters)
Azure checks:
- No Public Blob Access
- Encryption at Rest
- HTTPS Only
- WAF Required
- No Unrestricted Inbound
- NSG Explicit Deny-All
Each check shows PASS or FAIL. Policy warnings (like missing tags) are non-blocking.
What's Next
- Deploying — see governance in action during deployment
- Stacks & Lifecycle — manage deployed infrastructure